°ÁÂ
|
HOME > °ÁÂ > |
°ÁÂ| ¸®´ª½º ¹× ¿ÀǼҽº¿¡ °ü·ÃµÈ °Á¸¦ º¸½Ç ¼ö ÀÖ½À´Ï´Ù.
|
Brute Forcing °ø°Ý¿¡ ´ëºñÇϱâ
|
|
 Á¶È¸ : 18,678
|
Brute Forcing °ø°Ý¿¡ ´ëºñÇϱâ
0.°³¿ä ¿ì¸®°¡ ¼ºñÀÇ ·Î±×¸¦ È®ÀÎÇÒ °æ¿ì pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx pam_succeed_if(sshd:auth): error retrieving information about user developer Invalid user developer from xxx.xxx.xxx.xxx input_userauth_request: invalid user developer pam_unix(sshd:auth): check pass; user unknown
ÀÌ·¯ÇÑ ÇüÅÂÀÇ ·Î±×¸¦ ÀÚÁÖ Á¢ÇßÀ» °ÍÀÌ´Ù ±×¸®°í ÀÌ·¯ÇÑ ·Î±×´Â Çѹø¿¡ ¸¹°Ô´Â ¼ö½Ê°³¾¿ ¹Ù·Î ºÙ¾î È®ÀÎÀÌ µÉ°ÍÀÌ´Ù ÀÌ·¯ÇÑ ÇüÅÂÀÇ ·Î±×°¡ ¹Ù·Î ÆÐ½º¿öµå ¹× ¾ÆÀÌÇǸ¦ ¹«ÀÛÀ§´ëÀÔÇÏ¿© °ø°ÝÀ» ÇÏ´Â ÇüÅÂÀÌ´Ù.
ÀÌ·¯ÇÑ °ø°ÝÀÇ À§Ç輺Àº ÆÐ½º¿öµå Á¤Ã¥°ú ±ÔÄ¢À» Àç´ë·Î °ü¸® ÇÏ´Â °÷À̶ó¸é ÆÐ½º¿öµå°¡ Ç®¸± Å«À§Ç輺Àº ¾øÁö¸¸. ¿¹¸¦ µé¾î 1111, password, ȸ»ç¸í µî ´©±¸³ª À¯Ãß°¡´ÉÇÏ°í ½¬¿î ÆÐ½º¿öµå¸¦ ¾µ°æ¿ì ½±°Ô Ç®·Á¹ö¸®±âµµ ÇÑ´Ù.
±×¸®°í ¼ø°£ÀûÀ¸·Î ³Ê¹« ¸¹Àº Á¢¼ÓÀ» ÇÏ°ÔµÇ¸é ¼ÒÄÏ ÀÚ¿øÀÇ ºÎÁ·À¸·Î Á¤»óÀûÀÎ Á¢±ÙÀÌ ¾î·Æ°Ô µÇ±âµµ ÇÑ´Ù
ÀÌ·¯ÇÑ À§Ç輺¿¡¼ ¹þ¾î³¯ ¼ö ÀÖ´Â ¹æ¹ýÁß ÇѱâÁö¸¦ ¼Ò°³ÇϰíÀÚ ÇÑ´Ù
1. ¼Ò°³ ¾îÇø®ÄÉÀ̼Ç
¼Ò°³ÇÒ ¾îÇø®ÄÉÀ̼ÇÀº fail2ban À̶ó´Â ÇÁ·Î±×·¥À̸ç ÀÌ´Â ¸ð´ÏÅ͸µÇÒ ¾îÇø®ÄÉÀ̼ÇÀÇ ·Î±×ÆÄÀϰú iptables¸¦ ÀÌ¿ëÇÏ¿© Á¢¼Ó ½Ãµµ È®Àΰú Â÷´ÜÀ» ÇÑ´Ù Â÷´Ü±âÁØÀº Á¢¼Ó ½ÇÆÐ Ƚ¼ö¿Í Ƚ¼ö¿¡ µµ´ÞÇÑ ½Ã°£ÀÌ Â÷´ÜÀÇ ±âÁØÀÌ´Ù ¿¹¸¦ µé¾î 5ºÐ¾È¿¡ 5ȸ ÀÌ»ó Á¢¼Ó ½ÇÆÐÀÏ °æ¿ì Á¢¼ÓÀ» Â÷´ÜÇÑ´Ù
2. »çÀÌÆ® ¹× ´Ù¿î·Îµå fail2banÀÇ °ø½Ä »çÀÌÆ® http://www.fail2ban.org
´Ù¿î·Îµå ÆäÀÌÁö¿¡¼ http://www.fail2ban.org/wiki/index.php/Downloads
»ç¿ëÇϰí ÀÖ´Â Á¾·ùÀ§ ¹èÆ÷ÆÇÀÇ ¼³Ä¡ ÆÄÀÏÀ» ´Ù¿î¹Þ´Â´Ù Âü°í·Î ÇÊÀÚ´Â CentOS6À» »ç¿äÇϰí ÀÖ´Ù Red Hat/CentOS RPMs are available through EPEL. Ç׸ñÀÇ ¸µÅ©¸¦ µû¶ó°¡¸é epel ÀúÀå¼Ò¸¦ Ãß°¡ÇÒ ¼öÀÖ´Â ¼³Ä¡ÆÄÀÏÀ» ´Ù¿î ¹Þ¾Æ ¼³Ä¡ÇÑ´Ù
cd /usr/local/src/ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm rpm -ivh epel-release-latest-6.noarch.rpm
¿©±â±îÁö ÁøÇàÇϸé fail2banÀÇ ¼³Ä¡ Áغñ°¡ ¿Ï·á µÈ °ÍÀÌ´Ù
3. ¼³Ä¡Çϱâ
yumÀ¸·Î ¼³Ä¡ÇϸéµÈ´Ù yum install fail2ban
4. ¼³Á¤Çϱâ
/etc/fail2ban/jail.conf¸¦ ¿¾î ´ÙÀ½ ºÎºÐÀ» È®ÀÎÇÑ´Ù ÇÊÀÚ´Â sshd ¸ðµâ¸¸ »ç¿ëÇϵµ·Ï ÇÏ¿´Áö¸¸ Á÷Á¢ ¿¾îº¸°í ÇÊ¿äÇÑ ºÎºÐÀº enable ½ÃÄÑ »ç¿ëÇÏ¸é µÈ´Ù
[DEFAULT]
# Â÷´ÜÇÏÁö ¾ÊÀ» ÈÀÌÆ® ¾ÆÀÌÇǸ¦ µî·ÏÇÏ´Â °÷ÀÌ´Ù ignoreip = 127.0.0.1/8 xxx.xxx.xxx.xxx/32
# Â÷´ÜµÇ¾úÀ» °æ¿ì Â÷´ÜÇϰí ÀÖÀ» ½Ã°£À»À» ¼³Á¤ÇÑ´Ù bantime = 600
# ·Î±×¸¦ Ž»öÇÒ ½Ã°£À» ¼³Á¤ÇÑ´Ù findtime = 600
ÀÌ»ó ½ÇÆÐ½Ã Â÷´ÜÀ» ÇÒ È½¼ö¸¦ ¼³Á¤ÇÑ´Ù maxretry = 5
¾Æ·¡¿Í °°Àº ¸¹Àº Â÷´Ü ¸ðµâ ¼³Á¤ÀÌ ÀÖÁö¸¸ ÇÊÀÚ´Â ssh Á¢¼Ó¿¡ ´ëÇØ¼¸¸ fail2banÀ» Àû¿ëÇÒ °ÍÀÌ´Ù Àû¿ëÇϱâ À§ÇØ enabled = true¸¦ Ãß°¡ ÇÑ´Ù [sshd] enabled = true port = ssh logpath = %(sshd_log)s
Á¤ÀåÇϰí fail2banÀ» Àç½ÃÀÛ ÇÑ´Ù chkconfig fail2ban on service fail2ban restart
È®Àιæ¹ý
iptables -nL -v ... Chain fail2ban-SSH (1 references) pkts bytes target prot opt in out source destination 3570 402K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
´ÙÀ½°ú °°Àº Ç׸ñÀÌ Ãß°¡ µÇ¾ú´ÂÁö È®ÀÎÇÏ´Ù
±×¸®°í ·Î±×¿¡¼ fail2ban.server[6751]: INFO Stopping all jails fail2ban.jail[6751]: INFO Jail 'sshd' stopped fail2ban.jail[6751]: INFO Jail 'ssh-iptables' stopped fail2ban.server[6751]: INFO Exiting Fail2ban fail2ban.server[6953]: INFO Changed logging target to SYSLOG (/dev/log) for Fail2ban v0.9.3 fail2ban.database[6953]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' fail2ban.jail[6953]: INFO Creating new jail 'sshd' fail2ban.jail[6953]: INFO Jail 'sshd' uses pyinotify fail2ban.filter[6953]: INFO Set jail log file encoding to UTF-8 fail2ban.jail[6953]: INFO Initiated 'pyinotify' backend fail2ban.filter[6953]: INFO Added logfile = /var/log/secure fail2ban.filter[6953]: INFO Set maxRetry = 5 fail2ban.filter[6953]: INFO Set jail log file encoding to UTF-8 fail2ban.actions[6953]: INFO Set banTime = 600 fail2ban.filter[6953]: INFO Set findtime = 600 fail2ban.filter[6953]: INFO Set maxlines = 10 fail2ban.server[6953]: INFO Jail sshd is not a JournalFilter instance fail2ban.jail[6953]: INFO Jail 'sshd' started
ÀÌ·¯ÇÑ ·Î±×¸¦ È®ÀÎ Çϸé Á¤»óÀûÀ¸·Î ¼³Ä¡ ¹× ¼³Á¤ÀÌ µÈ°ÍÀÌ´Ù
Â÷´Ü ¹× ÇØÁ¦¸¦ ´Â ·Î±×¿¡¼ banÀº Â÷´Ü unbanÀº ÇØÁ¦¸¦ ³ªÅ¸³½´Ù fail2ban.filter[8536]: INFO [sshd] Found 158.69.207.180 fail2ban.filter[8536]: INFO [sshd] Found 158.69.207.180 fail2ban.filter[8536]: INFO [sshd] Found 158.69.207.180 fail2ban.filter[8536]: INFO [sshd] Found 158.69.207.180 fail2ban.filter[8536]: INFO [sshd] Found 158.69.207.180 fail2ban.actions[8536]: NOTICE [sshd] Ban 158.69.207.180 fail2ban.filter[8536]: INFO [sshd] Found 108.0.11.43 fail2ban.actions[8536]: NOTICE [sshd] Unban 158.69.207.180
5. Æ®·¯ºí½´ÆÃ fail2ban.filter[32750]: WARNING Determined IP using DNS Lookup: 185a25b149c226.greendata.pl = ['185.25.149.226'] À§¿Í °°Àº ·Î±×°¡ ½¯¼¼¾øÀÌ ³²´Â´Ù¸é
/etc/fail2ban/jail.conf¿¡¼ usedns=no·Î ¼³Á¤À» Çϸé ÇØ°áµÈ´Ù
¾Æ·¡¿Í °°Àº ·Î±×°¡ ³²°í ¾ÆÀÌÇÇÅ×ÀÌºí¿¡ üÀλý¼ºÀÌ µÇÁö¾ÊÀ¸¸é fail2ban.action[32750]:
ERROR iptables -w -N f2b-SSH#012iptables -w -A f2b-SSH -j
RETURN#012iptables -w -I INPUT -p tcp --dport ssh -j f2b-SSH -- stdout:
'' fail2ban.action[32750]: ERROR iptables -w -N f2b-SSH#012iptables
-w -A f2b-SSH -j RETURN#012iptables -w -I INPUT -p tcp --dport ssh -j
f2b-SSH -- stderr: "iptables v1.4.7: option `-w' requires an
argument\nTry `iptables -h' or 'iptables --help' for more
information.\niptables v1.4.7: option `-w' requires an argument\nTry
`iptables -h' or 'iptables --help' for more information.\niptables
v1.4.7: option `-w' requires an argument\nTry `iptables -h' or 'iptables
--help' for more information.\n" fail2ban.action[32750]: ERROR iptables
-w -N f2b-SSH#012iptables -w -A f2b-SSH -j RETURN#012iptables -w -I
INPUT -p tcp --dport ssh -j f2b-SSH -- returned 2 fail2ban.actions[32750]: ERROR Failed to start jail 'ssh-iptables' action 'iptables': Error starting action
/etc/fail2ban/action.d/iptables-common.conf ÆÄÀÏ¿¡¼ lockingopt = -w ¼³Á¤À» lockingopt = ¹Ù²ãÁÖ¸é µÈ´Ù
|
[¿ø±Û¸µÅ©] : https://www.linux.co.kr/home2/board/subbs/board.php?bo_table=lecture&wr_id=1864
 |
º»¸í : ÀÌÀç¼®
e-mail : locli¾Üsuperuser.co.kr
¼Ò¼Ó : (ÁÖ)¼öÆÛÀ¯ÀúÄÚ¸®¾Æ |
|
|
|
|